+ Reply to Thread
Page 1 of 2 1 2 LastLast
Posts 1 to 10 of 19

Thread: GDPR

  1. #1

    Godlike

    original PM's Avatar
    Join Date
    Apr 2008
    Location
    Cheshire
    Posts
    8,701
    Thanks (Given)
    21
    Thanks (Received)
    265
    Likes (Given)
    69
    Likes (Received)
    1214

    Default GDPR

    So this is not a new thing - and there is a lot of activity going on where I currently am - seems the new buzzword is GDPR.

    However when I look into it there is not a huge move from the current DPA which we currently comply with.

    Am I over simplifying this?

    or is it something to be concerned about?

    TIA!

  2. #2

    Should post faster


    Join Date
    Jul 2013
    Posts
    140
    Thanks (Given)
    2
    Thanks (Received)
    5
    Likes (Given)
    1
    Likes (Received)
    11

    Default

    Quote Originally Posted by original PM View Post
    So this is not a new thing - and there is a lot of activity going on where I currently am - seems the new buzzword is GDPR.

    However when I look into it there is not a huge move from the current DPA which we currently comply with.

    Am I over simplifying this?

    or is it something to be concerned about?

    TIA!
    The program I'm working on at the moment is being impacted by this. I've spoken with experts on the subject and they seem quite relaxed about it. However, there is emphasis on how to provide proofs for data privacy on demand when needed (and penalties that could arise).

  3. #3

    Godlike

    original PM's Avatar
    Join Date
    Apr 2008
    Location
    Cheshire
    Posts
    8,701
    Thanks (Given)
    21
    Thanks (Received)
    265
    Likes (Given)
    69
    Likes (Received)
    1214

    Default

    Quote Originally Posted by ruasonid View Post
    The program I'm working on at the moment is being impacted by this. I've spoken with experts on the subject and they seem quite relaxed about it. However, there is emphasis on how to provide proofs for data privacy on demand when needed (and penalties that could arise).
    Interesting point.

    A lot of work we are doing is around vulnerability from an internal attack - e.g. disgruntled employee nicks/exposes loads of data.

    The reason seems to be that over the past 10-15 years the focus has been on external attacks and these routes are now as secure as they can be (always noting that any system is hackable and so if someone wants your data badly enough they will get it).

    However going back to the first point it may now be easier to compromise an employee with the relevant access levels to get the data.

    No matter what system you have you will always need 1 or more human operators who have access to everything - it is (in my view) the only way you can actually support a system.

    So what I am interested in is - what proof are we going to need to provide when asked.

    Taking it to an extreme just to highlight a point.

    I need to ensure my system admin is under 24/7 surveillance so that I can prove he/she has not been compromised and will expose data.

    I therefore need to keep my 24/7 surveillance team under 24/7 surveillance so that i can ensure they have not been compromised which in turn may mean my sys admin has been compromised.

    Ad nauseam.

    And just to make things easier our DPA/GDPR team have said ' We don't want to give you a list of things to comply to we need you to identify what is relevant'.

    Fact is if this is a law then there are things in scope of it and things not in scope of it - and to be efficient you need to just concentrate on the things in scope.

  4. #4

    Faqqed Off

    TheFaQQer's Avatar
    Join Date
    Oct 2006
    Posts
    35,838
    Thanks (Given)
    369
    Thanks (Received)
    1233
    Likes (Given)
    3564
    Likes (Received)
    3088

    Default

    Quote Originally Posted by original PM View Post
    Am I over simplifying this?

    or is it something to be concerned about?
    Yes, you're oversimplifying - this is going to be huge and expensive for companies. And lawyers are going to get rich from it. Imagine the volume of PPI calls and lawyers that cropped up - then multiply that at least tenfold.

    The average EU-wide payout for a data protection breach to the individual is 2800EUR. With GDPR, the company will have to pay that plus a fine of up to 4% of their turnover on top of that. So imagine your telecoms company loses customer data for 1000 people (bear in mind how much more have been lost in the past). That's a payout to the victims of 2.8 million immediately plus a fine to pay.

    Last year, Talktalk lost over 150000 customer data - that's a payout to the customers of 420 million if we take the average payout, plus a fine of up to 75million based on their turnover. They got a 400k fine instead.

    The protections that you get as an individual also make interesting reading - you can prevent companies from sharing your data a lot more easily if there is no valid reason for them to share it. So you can stop your bank from disclosing your details to Experian (for example), because the bank has no reason to share that data. And they are not allowed to discriminate against customers / potential customers on the basis of the customer not sharing their data. Interesting times for the credit reference / database companies - if individuals prevent the banks from sharing their data, and the banks can't discriminate just because they cannot get your data to do a credit check, where does that leave the banks and the likes of Experian?

    Also, the threshold for proving data loss gets a lot lower as well, which is good for the individual and bad for the company. This is going to cost businesses a LOT of money when it hits, there will be some massive high profile large fines early on, and there is little time to get your systems in place to do anything about it. My recommendation to clients would be to put aside 4% of turnover for a breach fine, or put aside 4% of turnover to get your systems in place to deal with the new laws - clearly the latter is more desirable than the former.

    I know an expert in this area who runs a four day training course for 3250, but I can get a discount on that if anyone is interested.
    Best Forum Advisor, 2014
    Work in the public sector? You can read my FAQ here
    Click here to get 15% off your first year's IPSE membership

  5. #5

    Godlike

    original PM's Avatar
    Join Date
    Apr 2008
    Location
    Cheshire
    Posts
    8,701
    Thanks (Given)
    21
    Thanks (Received)
    265
    Likes (Given)
    69
    Likes (Received)
    1214

    Default

    Quote Originally Posted by TheFaQQer View Post
    Yes, you're oversimplifying - this is going to be huge and expensive for companies. And lawyers are going to get rich from it. Imagine the volume of PPI calls and lawyers that cropped up - then multiply that at least tenfold.

    The average EU-wide payout for a data protection breach to the individual is 2800EUR. With GDPR, the company will have to pay that plus a fine of up to 4% of their turnover on top of that. So imagine your telecoms company loses customer data for 1000 people (bear in mind how much more have been lost in the past). That's a payout to the victims of 2.8 million immediately plus a fine to pay.

    Last year, Talktalk lost over 150000 customer data - that's a payout to the customers of 420 million if we take the average payout, plus a fine of up to 75million based on their turnover. They got a 400k fine instead.

    The protections that you get as an individual also make interesting reading - you can prevent companies from sharing your data a lot more easily if there is no valid reason for them to share it. So you can stop your bank from disclosing your details to Experian (for example), because the bank has no reason to share that data. And they are not allowed to discriminate against customers / potential customers on the basis of the customer not sharing their data. Interesting times for the credit reference / database companies - if individuals prevent the banks from sharing their data, and the banks can't discriminate just because they cannot get your data to do a credit check, where does that leave the banks and the likes of Experian?

    Also, the threshold for proving data loss gets a lot lower as well, which is good for the individual and bad for the company. This is going to cost businesses a LOT of money when it hits, there will be some massive high profile large fines early on, and there is little time to get your systems in place to do anything about it. My recommendation to clients would be to put aside 4% of turnover for a breach fine, or put aside 4% of turnover to get your systems in place to deal with the new laws - clearly the latter is more desirable than the former.

    I know an expert in this area who runs a four day training course for 3250, but I can get a discount on that if anyone is interested.
    I understand that but lets take the Talk Talk example - how do they lose this data?

    Was it just poor data management or did someone do something malicious to make it happen?

    So yes poor data management is unacceptable and the is where the main focus of a lot of companies is - make sure your data is secure and you have control of it - pretty basic stuff really.

    If it is someone doing something malicious then how do you stop that?

    Then looking at the data sharing - the only reasons companies data share is to make money - but as GDPR comes in and this now becomes a bad idea - why would a company share data - the only reason is that the senior managers/execs feel they can make a fast buck and screw the risks.

    So really that just comes back to the someone doing something malicious to break the rules.

    To quote your example about PPI - banks did this to make a fast buck and it came back to bite them - this was an exec/senior level decision.

    I am really just pushing the boundaries to try and find out where the problems will be as when I speak to consultants etc we just get vanilla wishy/washy responses - what I am looking for is some examples of how a company could fall foul of the GDPR stuff without trying to.

  6. #6

    Faqqed Off

    TheFaQQer's Avatar
    Join Date
    Oct 2006
    Posts
    35,838
    Thanks (Given)
    369
    Thanks (Received)
    1233
    Likes (Given)
    3564
    Likes (Received)
    3088

    Default

    Quote Originally Posted by original PM View Post
    I am really just pushing the boundaries to try and find out where the problems will be as when I speak to consultants etc we just get vanilla wishy/washy responses - what I am looking for is some examples of how a company could fall foul of the GDPR stuff without trying to.
    I would suggest talking to Preterlex about it then - The GDPR - business, IT, and law in the privacy New World - PreterLex

    Implementation of GDPR will require complex business process / practice and software level changes - particularly any company where they process data overseas (even more so if it is outside the EU). If companies process data in certain countries where the local laws conflict with GDPR then they will need to stop that happening completely.

    I suspect that most companies will fall foul of the new laws because they don't understand what they have authority to do and what they don't. And the level of data privacy that could be required needs to be understood by everyone in the organisation - they need to know what they can and cannot process. For example, if I say to someone who works at Huxley "you can send my CV over to IBM" what is the data retention of my CV? What is my right to have that erased? How do they process those requests? If the agent finds out that they have to use a third party like Capita, do they have permission to send it? And if they send it anyway, have they committed a data breach?

    Companies will need to have a fundamental look at how they deal with data, how they will deal with it in the future, and how they will ensure that everyone understands that. Systems and processes will need to be reviewed to ensure that they have the appropriate levels of control, access, removal, and metadata about what can be shared and what can't and with whom.
    Best Forum Advisor, 2014
    Work in the public sector? You can read my FAQ here
    Click here to get 15% off your first year's IPSE membership

  7. #7

    Nice But Dim

    DaveB's Avatar
    Join Date
    Oct 2005
    Posts
    18,707
    Thanks (Given)
    37
    Thanks (Received)
    763
    Likes (Given)
    354
    Likes (Received)
    2352

    Default

    Quote Originally Posted by original PM View Post
    I understand that but lets take the Talk Talk example - how do they lose this data?

    Was it just poor data management or did someone do something malicious to make it happen?

    So yes poor data management is unacceptable and the is where the main focus of a lot of companies is - make sure your data is secure and you have control of it - pretty basic stuff really.

    If it is someone doing something malicious then how do you stop that?

    Then looking at the data sharing - the only reasons companies data share is to make money - but as GDPR comes in and this now becomes a bad idea - why would a company share data - the only reason is that the senior managers/execs feel they can make a fast buck and screw the risks.

    So really that just comes back to the someone doing something malicious to break the rules.

    To quote your example about PPI - banks did this to make a fast buck and it came back to bite them - this was an exec/senior level decision.

    I am really just pushing the boundaries to try and find out where the problems will be as when I speak to consultants etc we just get vanilla wishy/washy responses - what I am looking for is some examples of how a company could fall foul of the GDPR stuff without trying to.
    TalkTalk was a cluster*** from start to finish. It was essentially down to their incompetence and management who didn't want to spend money on securing the data they held.

    They claimed it was a "sophisticated" attack when in reality it was a bunch of kids exploiting known loopholes with readily available scripts they downloaded from the web. The issues they exploited have been known about for years and anyone with a functioning security team in place should have been able to fix them long ago. It got to the point that CESG (now the National Cyber Security Centre) got involved and had to hold a briefing and issue a guidance note on what constituted a "sophisticated" attack. TalkTalk did not fall into that category.
    "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

  8. #8
    jas
    jas is offline

    Nervous Newbie


    Join Date
    Sep 2007
    Posts
    16
    Thanks (Given)
    0
    Thanks (Received)
    0
    Likes (Given)
    0
    Likes (Received)
    1

    Default GDPR Training

    Has anyone done any or thinking of doing GDPR training (i.e. to get some knowledge and get a contract role which is asking for GDPR experience)?

    Is it a good idea of bad???

  9. #9

    crap ex-mod

    MarillionFan's Avatar
    Join Date
    Jul 2005
    Location
    .
    Posts
    34,862
    Thanks (Given)
    46
    Thanks (Received)
    515
    Likes (Given)
    261
    Likes (Received)
    2143

    Default

    Quote Originally Posted by TheFaQQer View Post
    I would suggest talking to Preterlex about it then - The GDPR - business, IT, and law in the privacy New World - PreterLex

    Implementation of GDPR will require complex business process / practice and software level changes - particularly any company where they process data overseas (even more so if it is outside the EU). If companies process data in certain countries where the local laws conflict with GDPR then they will need to stop that happening completely.

    I suspect that most companies will fall foul of the new laws because they don't understand what they have authority to do and what they don't. And the level of data privacy that could be required needs to be understood by everyone in the organisation - they need to know what they can and cannot process. For example, if I say to someone who works at Huxley "you can send my CV over to IBM" what is the data retention of my CV? What is my right to have that erased? How do they process those requests? If the agent finds out that they have to use a third party like Capita, do they have permission to send it? And if they send it anyway, have they committed a data breach?

    Companies will need to have a fundamental look at how they deal with data, how they will deal with it in the future, and how they will ensure that everyone understands that. Systems and processes will need to be reviewed to ensure that they have the appropriate levels of control, access, removal, and metadata about what can be shared and what can't and with whom.

    Also additional processes around 'Right to be Forgotten' or 'Data Port Requests' form part of the new GDPR.

    Imagine a company with 100's of systems who has customer data replicated everywhere. I can request that data be deleted, and failure to do so will result in a fine. 4% of turnover is scaring the crap out of companies. Clientco has setup a task force & I'm getting a lot of interest. It's going to be a little like Y2K as everyone panics coming towards May. Some money to be made in the short-term, especially around auditiing.
    What happens in General, stays in General.
    You know what they say about assumptions!

  10. #10

    Should post faster


    Join Date
    Jul 2013
    Posts
    140
    Thanks (Given)
    2
    Thanks (Received)
    5
    Likes (Given)
    1
    Likes (Received)
    11

    Default

    Quote Originally Posted by jas View Post
    Has anyone done any or thinking of doing GDPR training (i.e. to get some knowledge and get a contract role which is asking for GDPR experience)?

    Is it a good idea of bad???
    Possibly. It could be a Y2K-like bonanza. On the other hand, it could be that bob's your uncle and Indian consultancies have been bidding on outsourcing these projects for the past couple of years.

    In my recent experience lawyers have been engaged to address the risks around GDPR.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Content Relevant URLs by vBSEO 3.6.0 ©2011, Crawlability, Inc.